Query Details

Due Date Passed CISA Known Exploited Vulnerabilities

Due Date Passed CISA Known Exploited Vulnerability

Query

let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True); 
DeviceTvmSoftwareVulnerabilities 
| join kind=inner (KnowExploitesVulnsCISA 
| where dueDate < now()) on $left.CveId == $right.cveID 
| summarize VulnerableDevices = make_set(DeviceName) by CveId, vendorProject, vulnerabilityName, dateAdded, dueDate, shortDescription 
| extend DueDateExceededByDays = datetime_diff('day', now(), dueDate), TotalVulnerableDevices = array_length(VulnerableDevices) 
| project-reorder CveId, vendorProject, DueDateExceededByDays, TotalVulnerableDevices 
| sort by DueDateExceededByDays, TotalVulnerableDevices

About this query

Explanation

This query is designed to identify and track known exploited vulnerabilities in your environment that have passed their due dates for remediation. Here's a simplified breakdown of what the query does:

  1. Data Source: It pulls data from a CSV file provided by CISA, which lists known exploited vulnerabilities, including details like CVE IDs, vendor names, product names, and due dates for action.

  2. Data Joining: It combines this CISA data with your environment's vulnerability data to find matches based on CVE IDs. This helps identify which vulnerabilities listed by CISA are present in your environment.

  3. Due Date Check: It filters the results to only include vulnerabilities where the due date for remediation has already passed.

  4. Calculation: For each of these vulnerabilities, it calculates how many days have passed since the due date. This is shown in a new column called DueDateExceededByDays.

  5. Device Tracking: It also lists the devices affected by each vulnerability and counts the total number of vulnerable devices.

  6. Output: The results are organized to show the CVE ID, vendor, how many days the due date has been exceeded, and the total number of vulnerable devices. The output is sorted by the number of days the due date has been exceeded and the number of vulnerable devices.

This query helps prioritize patching efforts by highlighting vulnerabilities that are overdue for remediation and the extent of their impact on your environment.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilitiesCveIdVendorProjectVulnerabilityNameDateAddedDueDateShortDescriptionNotes

Operators

externaldatawithjoinkind=innerwherenowonsummarizemake_setbyextenddatetime_diffarray_lengthproject-reordersort

Actions

GitHub